Investigator urges better computer crime analysis

Just like your computers, said Tami Loehrs of Tuscon, Ariz., who conducts forensic examinations of them to determine whether crimes have been committed on them or by them through the Internet.

"With wireless, the door's ajar," Loehrs added.

If computer hackers and viruses can break through the security of governments and major corporations that spend millions of dollars to secure their information technology, what happens to individuals?

When anti-virus software fails, individuals can find their identities stolen from or child pornography downloaded to their hard drives.

And sometimes innocent people have been charged, prosecuted and ruined, Loehrs said.

She examined the computer of Massachusetts government employee Michael Fiola, whose laptop was downloading 40 child pornography sites a minute.

A jury acquitted him, but not until after his life was ruined by the stigma of a crime involving the sexual assault of very young children, according to news reports.

Computer virus issues may have led to the conviction of Nathaniel "Ned" Solon of Casper, Loehrs said.

One method of investigating computer crime by law enforcement agencies has put many purveyors of child pornography behind bars, but it doesn't go far enough to determine how the images came to the computer, she said.

Affidavits of many child pornography cases explain the use of special software to identify files -- using a "Secure Hash Algorithm" value -- with known illegal images floating through cyberspace on peer-to-peer (P2P) networks, which directly link computers without a central server.

The software also seeks computers that can share those files.

Once the SHA value has been identified, investigators can make available a file of child pornography and identify computers that have downloaded the file.

In Solon's case, no one disputed the SHA numbers identifying files were on his computer.

The dispute concerned how they arrived.

Former Wyoming Division of Criminal Investigator Randy Huff worked the Solon case and said the computer had to be programmed to look for those images.

But Loehrs said it's not that simple.

If a file does not fully download, or is deleted, the SHA number and file name remain even though the file with the images is not there, she said.

During Solon's trial, Loehrs said payment problems with the court forced her to stop her research about the time she saw evidence that Solon's anti-virus software was failing, meaning the computer might not have been able to keep out child porn images.

Besides the computer activity, Loehrs questioned whether law enforcement agents took everything they needed from Solon's home to conduct an adequate investigation, an assertion disputed by prosecutors.

Likewise, Solon did not have the classic telltale signs of guilty child pornographers, such as spare hard drives to store images, Loehrs said.

Like the general public, the justice system will need time to fully grasp the huge scope of cybercrime, like the time it took to embrace DNA technology, she said.